Safeguard
Tag

admission-control

Safeguard articles tagged "admission-control" — guides, analysis, and best practices for software supply chain and application security.

15 articles

DevSecOps

Writing Rego policies for Kubernetes admission control and CI gates

Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.

Jul 11, 20268 min read
Kubernetes Security

Container and Kubernetes scanning in agent-driven DevOps, without new trust boundaries

Autonomous agents that rebuild and redeploy containers can patch a CVE in under an hour — or become a new privileged path to production if scanning isn't gated.

Jul 10, 20267 min read
DevSecOps

A hands-on introduction to Rego for Kubernetes admission control

OPA graduated CNCF on January 29, 2021, and Rego v1 became the default syntax in OPA v1.0.0 (Dec 2024) — here's how to write your first admission-control policies.

Jul 8, 20266 min read
Container Security

Kubernetes Admission Controllers for Security

Admission controllers are the policy chokepoint between a validated API request and a running workload. Used well, they enforce your entire security posture. Here is how validating webhooks, Kyverno, OPA, and the new CEL-based policies fit together.

Jul 7, 20265 min read
Container Security

Pod Security Standards: The Complete Guide

PodSecurityPolicy is gone. Pod Security Admission and the three Pod Security Standards are how you enforce baseline and restricted profiles in modern Kubernetes — here is how to adopt them without breaking workloads.

Jul 3, 20265 min read
Container Security

Kubernetes Admission Controller Policy Patterns in 2026

A field guide to the admission control patterns that survived contact with production clusters: validating webhooks, image policy, mutating defaults, and what to skip.

Feb 11, 20266 min read
Architecture

Safeguard Policy Evaluation Engine

How Safeguard's policy engine evaluates thousands of rules per artifact with predictable latency — the compiler, the cache layer, and the decision trail.

Feb 8, 20268 min read
Container Security

How to set up OPA Gatekeeper for Kubernetes admission con...

A step-by-step guide to OPA Gatekeeper Kubernetes admission control: install, write constraint templates, roll out safely, and verify enforcement.

Feb 8, 20267 min read
Container Security

What is Admission Control (Kubernetes)

Admission control is the last checkpoint in Kubernetes before an object is written to etcd — here's how webhooks, PSA, and policy engines enforce it.

Jan 31, 20267 min read
Buyer's Guides

Best Kubernetes admission control tools

A practical comparison of Kubernetes admission control tools — OPA/Gatekeeper, Kyverno, Kubewarden, Styra, jsPolicy, and Polaris — with real strengths, limits, and evaluation criteria.

Nov 12, 20258 min read
Container Security

How Snyk IaC's admission-time Kubernetes scanning differs...

How Snyk IaC's static manifest scanning, the Snyk Controller's in-cluster monitoring, and true Kubernetes admission control mechanically differ — and why the gap between them matters.

Aug 30, 20257 min read
Container Security

Kubernetes 1.30 and 1.31 Security Rundown

ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for cluster security posture.

Sep 20, 20245 min read
admission-control — Safeguard Blog